Introduction

Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.

Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.

Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at http://ucsecurity.wordpress.com.

Akhil is the author of the Cisco Press title “Securing Cisco IP Telephony Networks” (ISBN 1-58714-295-3)

Q. What is the function of CAPF?

A. Certificate Authority Proxy Function (CAPF) is the core of CUCM security and enables secure signaling with Transport Layer Security (TLS) and secure media with Secure Real-Time Transport Protocol (SRTP) on the CUCM cluster. CAPF enables the endpoints in order to establish secure signaling with the CUCM cluster and SRTP between themselves. CAPF is also the root for the Locally Significant Certificate (LSC).

Q: Does SRTP use symmetric key cryptography?

A: SRTP uses asymmetric keys. TLS also uses

Q: What is the difference between the Identity certificate and the Certificate Authority (CA) certificate?

A: The CA Certificate is a self-signed certificate generated by a trusted third party (CA). It is used to sign the Certificate Signing Request (CSR) and installed on the client before the signed certificate can be installed. The Identity certificate is a certificate that results from CA signing the CSR, and it is installed on the server.

Q: Can you describe the phone downloading certificate process?

A: The CTL client signs the CTL file with the private key (SAST) from the security token (USB token). As a result the CTL file is created with the CTL client and signed by the Cisco Site Administrator Security Token (SAST)

Q: Hostname=FQDN. Does this mean that, when you create servers, you have to use a Fully Qualified Domain Name (FQDN) instead of IP addresses in order to create a CUCM cluster?

A: When you create a cluster, you enter the IP address if you do not use a Domain Name Server (DNS). If you want to use an external CA in order to sign the certificate of your CUCM node, you need to use the FQDN or the hostname. This further implies that CUCM may not use an FQDN with DNS suffix however, DNS server records be created to resolve CUCM hostname to IP address therefore, avoiding any need for DNS client on CUCM.

Q: If CA can create certificates with IP addresses instead of FQDN, can you keep the IP addresses in CUCM?

A: Yes, the Subject Name can be the IP Address. In most cases, subject name is kept at FQDN or hostname and Alt Subject name can be added (if requried) as FQDN/hostname or IP address.

Q: Are certificate chains upload supported by CUCM?

Q: Do you need to restart the CUCM service after you install Call Manager certificates for secure conferencing?

A: Yes, you need to restart the CUCM service.

Q: How is the VPN phone certificate affected when a CUCM upgrade is performed?

A: Ideally the VPN certificate should not expire if a VPN phone works remotely, is connected to the CUCM, and is upgraded. However, if the certificate expires, the phone must be brought back to the enterprise premises, and you can download the new certificate over the trust-established connection. The CUCM upgrade does not impact the VPN phones remotely because the upgrade does not replace any certificates.

Q: Will CUCM support Simple Certificate Enrollment Protocol (SCEP)?

A: SCEP is not supported yet and SCEP support isn't on the roadmap.

Q: Online Certificate Status Protocol (OCSP) certificate verification happens only during the certificate upload process. Why does it not occur during the certificate lifetime like all other products that use OCSP, such as the Cisco Identity Services Engine (ISE)? Will this be changed in a future UCM release?

A: This is not committed yet.

Q: Will CUCM, Cisco Unified Presence Server (CUPS), or Jabber support the Network Device Enrollment Service (NDES) (Microsoft)? Do CUPS, CUCM, or another Cisco application support SCEP?

A: These are not supported as of today and not on the Roadmap.

Q: What about SCEP in UC?

A: SCEP is not used commonly with Cisco devices/applications and is not currently supported on any UC applications.